Extension:SecureHTML - XSS risk?
I took a look at the code. It relies on Title::isProtected, which appears to return true if a page is semi-protected. That means that untrusted users who have simply become autoconfirmed are capable of making XSS attacks on the wiki.
Ah ok. Since Jean-Lou Dupont is inactive, I'd like to fix it for myself.
I don't autopromote e-mail-confirmed users. Editing is allowed for registered users only:
$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['user']['edit'] = true;
Is that safe enough?
I protect all pages for "Administrators only". How could I check isProtected() against that?
Well you'll need to semi-protect a page to test it.
But this isn't emailconfirmed, it's autoconfirmed. And it's a default part of the system you can't remove it.
Presumably a half-decent fix might be to use $title->isProtected( 'edit' ) && !$title->isSemiProtected( 'edit' ).
That said the premise of these extensions is horrible. Allowing arbitrary pages to have raw html can never truly be secure. No mater what the protection.
To top off the issue with isProtected this extension relies on modifying a wg global in order to work. This isn't local. If something else is parsed on the same page as a protected page an unsafe page could potentially be parsed allowing raw html in it.
